Nessus Report Nessus Scan Report 26/Sep/2013:04:40:53 HomeFeed: Commercial use of the report is prohibited Any time Nessus is used in a commercial environment you MUST maintain an active subscription to the ProfessionalFeed in order to be compliant with our license agreement: http://www.nessus.org/products/nessus-professionalfeed
45
Embed
Scan Ubuntu With OSSEC + Postfix Prepare for PCI-DSS 0unmp9
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Nessus ReportNessus Scan Report
26/Sep/2013:04:40:53
HomeFeed: Commercial use of the report is prohibited
Any time Nessus is used in a commercial environment you MUST maintain an activesubscription to the ProfessionalFeed in order to be compliant with our license agreement:http://www.nessus.org/products/nessus-professionalfeed
•11219 (2) - Nessus SYN scanner.............................................................................................................................28
•22964 (2) - Service Detection...................................................................................................................................29
•10107 (1) - HTTP Server Type and Version............................................................................................................ 30
•10114 (1) - ICMP Timestamp Request Remote Date Disclosure.............................................................................31
•10267 (1) - SSH Server Type and Version Information........................................................................................... 32
•11032 (1) - Web Server Directory Enumeration.......................................................................................................36
•11936 (1) - OS Identification.....................................................................................................................................37
•18261 (1) - Apache Banner Linux Distribution Disclosure........................................................................................38
Results Details0/icmp10114 - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
It may be possible to send spoofed RST packets to the remote system.
Description
The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker tosend spoofed RST packets to the remote host and close established connections. This may cause problems for somededicated services (BGP, a VPN over TCP, etc).
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
The linux distribution detected was : - Ubuntu 12.04 (precise) - Ubuntu 12.10 (quantal) - Ubuntu 13.04 (raring)
11936 - OS IdentificationSynopsis
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Remote operating system : Linux Kernel 3.5 on Ubuntu 12.10 (quantal)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 3.5 on Ubuntu 12.10 (quantal)
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Remote device type : general-purposeConfidence level : 95
45590 - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:12.10 -> Canonical Ubuntu Linux 12.10 Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0 cpe:/a:apache:http_server:2.2.22 -> Apache Software Foundation Apache HTTP Server 2.2.22
66334 - Patch ReportSynopsis
The remote host is missing several patches
Description
The remote host is missing one or several security patches.This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.
. You need to take the following 2 actions: [ OpenSSH LoginGraceTime / MaxStartups DoS (67140) ] + Action to take: Upgrade to OpenSSH 6.2 and review the associated server configuration settings. [ Apache 2.2 < 2.2.25 Multiple Vulnerabilities (68915) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later. + Impact: Taking this action will resolve 6 different vulnerabilities (CVEs).
19506 - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of plugin feed (HomeFeed or ProfessionalFeed)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Information about this scan : Nessus version : 5.2.2Plugin feed version : 201309251115Type of plugin feed : HomeFeed (Non-commercial use only)Scanner IP : 10.42.12.28Port scanner(s) : nessus_syn_scanner Port range : 1-65535Thorough tests : noExperimental tests : noParanoia level : 2Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : None
11
CGI scanning : enabledWeb application tests : enabledWeb app tests - Test mode : singleWeb app tests - Try all HTTP methods : yesWeb app tests - Maximum run time : 10 minutes.Web app tests - Stop at first flaw : paramMax hosts : 20Max checks : 4Recv timeout : 15Backports : NoneAllow post-scan editing: YesScan Start Date : 2013/9/26 4:38Scan duration : 142 sec
The remote SSH service is susceptible to a remote denial of service attack.
Description
According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The defaultconfiguration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime andMaxStartups thresholds by periodically making a large number of new TCP connections and thereby preventlegitimate users from gaining access to the service.Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerableconfiguration. Instead, it has simply checked the version of OpenSSH running on the remote host.
Version source : SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1 Installed version : 6.0p1 Fixed version : 6.2
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : d2:2b:99:ab:9b:5e:2e:62:96:4e:b8:57:d2:0c:3d:9c
80/tcp11229 - Web Server info.php / phpinfo.php DetectionSynopsis
The remote web server contains a PHP script that is prone to an information disclosure attack.
Description
Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' fordebugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remoteattacker can discover a large amount of information about the remote web server, including :- The username of the user who installed php and if they are a SUDO user.- The IP address of the host.- The version of the operating system.- The web server version.- The root directory of the web server.- Configuration information about the remote PHP installation.
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)
Version source : Server: Apache/2.2.22 Installed version : 2.2.22 Fixed version : 2.2.25
11219 - Nessus SYN scannerSynopsis
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
It is possible to enumerate directories on the web server.
Description
This plugin attempts to determine the presence of various common directories on the remote web server. By sendinga request for a directory, the web server response code indicates if it is a valid directory or not.
The following directories were discovered:/cgi-bin, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with companysecurity standards
10662 - Web mirroringSynopsis
Nessus crawled the remote web site.
Description
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.
The remote web server type is : Apache/2.2.22 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
- HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe Based on tests of each method : - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : /cgi-bin - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe - Invalid/unknown HTTP methods are allowed on : /cgi-bin
24260 - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
11229 (1) - Web Server info.php / phpinfo.php DetectionSynopsis
The remote web server contains a PHP script that is prone to an information disclosure attack.
Description
Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' fordebugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remoteattacker can discover a large amount of information about the remote web server, including :- The username of the user who installed php and if they are a SUDO user.- The IP address of the host.- The version of the operating system.- The web server version.- The root directory of the web server.- Configuration information about the remote PHP installation.
It may be possible to send spoofed RST packets to the remote system.
Description
The remote host might be affected by a sequence number approximation vulnerability that may allow an attacker tosend spoofed RST packets to the remote host and close established connections. This may cause problems for somededicated services (BGP, a VPN over TCP, etc).
The remote web server may be affected by multiple vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.23. It is, therefore,potentially affected by the following vulnerabilities:- The utility 'apachectl' can receive a zero-length directory name in the LD_LIBRARY_PATH via the 'envvars'file. A local attacker with access to that utility could exploit this to load a malicious Dynamic Shared Object (DSO),leading to arbitrary code execution.(CVE-2012-0883)- An input validation error exists related to 'mod_negotiation', 'Multiviews' and untrusted uploads that can allow cross-site scripting attacks.(CVE-2012-2687)Note that Nessus did not actually test for these flaws, but instead has relied on the version in the server's banner.
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.24. It is, therefore,potentially affected by the following cross-site scripting vulnerabilities :- Errors exist related to the modules mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp andunescaped hostnames and URIs that could allow cross- site scripting attacks. (CVE-2012-3499)- An error exists related to the mod_proxy_balancer module's manager interface that could allow cross-site scriptingattacks. (CVE-2012-4558)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
The remote SSH service is susceptible to a remote denial of service attack.
Description
According to its banner, a version of OpenSSH earlier than version 6.2 is listening on this port. The defaultconfiguration of OpenSSH installs before 6.2 could allow a remote attacker to bypass the LoginGraceTime andMaxStartups thresholds by periodically making a large number of new TCP connections and thereby preventlegitimate users from gaining access to the service.Note that this plugin has not tried to exploit the issue or detect whether the remote service uses a vulnerableconfiguration. Instead, it has simply checked the version of OpenSSH running on the remote host.
The remote web server may be affected by multiple cross-site scripting vulnerabilities.
Description
According to its banner, the version of Apache 2.2 installed on the remote host is earlier than 2.2.25. It is, therefore,potentially affected by the following vulnerabilities :- A flaw exists in the 'RewriteLog' function where it fails to sanitize escape sequences from being written to log files,making it potentially vulnerable to arbitrary command execution. (CVE-2013-1862)- A denial of service vulnerability exists relating to the 'mod_dav' module as it relates to MERGE requests.(CVE-2013-1896)Note that Nessus did not actually test for these issues, but instead has relied on the version in the server's banner.
It is possible to determine which TCP ports are open.
Description
This plugin is a SYN 'half-open' port scanner. It shall be reasonably quick even against a firewalled target.Note that SYN scans are less intrusive than TCP (full connect) scans against broken services, but they might causeproblems for less robust firewalls and also leave unclosed connections on the remote target, if the network is loaded.
The remote web server type is : Apache/2.2.22 (Ubuntu) You can set the directive 'ServerTokens Prod' to limit the informationemanating from the server in its response headers.
31
10114 (1) - ICMP Timestamp Request Remote Date DisclosureSynopsis
It is possible to determine the exact time set on the remote host.
Description
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set onthe targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authenticationprotocols.Timestamps returned from machines running Windows Vista / 7 / 2008 / 2008 R2 are deliberately incorrect, butusually within 1000 seconds of the actual system time.
Solution
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
For your information, here is the traceroute from 10.42.12.28 to 10.42.14.159 : 10.42.12.2810.42.12.110.42.14.159
34
10662 (1) - Web mirroringSynopsis
Nessus crawled the remote web site.
Description
This script makes a mirror of the remote web site(s) and extracts the list of CGIs that are used by the remote host.It is suggested that you change the number of pages to mirror in the 'Options' section of the client.
The remote SSH daemon supports the following versions of theSSH protocol : - 1.99 - 2.0 SSHv2 host key fingerprint : d2:2b:99:ab:9b:5e:2e:62:96:4e:b8:57:d2:0c:3d:9c
36
11032 (1) - Web Server Directory EnumerationSynopsis
It is possible to enumerate directories on the web server.
Description
This plugin attempts to determine the presence of various common directories on the remote web server. By sendinga request for a directory, the web server response code indicates if it is a valid directory or not.
The following directories were discovered:/cgi-bin, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with companysecurity standards
It is possible to guess the remote operating system.
Description
Using a combination of remote probes (TCP/IP, SMB, HTTP, NTP, SNMP, etc...), it is possible to guess the name ofthe remote operating system in use. It is also sometimes possible to guess the version of the operating system.
Remote operating system : Linux Kernel 3.5 on Ubuntu 12.10 (quantal)Confidence Level : 95Method : SSH The remote host is running Linux Kernel 3.5 on Ubuntu 12.10 (quantal)
38
18261 (1) - Apache Banner Linux Distribution DisclosureSynopsis
The name of the Linux distribution running on the remote host was found in the banner of the web server.
Description
This script extracts the banner of the Apache web server and attempts to determine which Linux distribution theremote host is running.
Solution
If you do not wish to display this information, edit httpd.conf and set the directive 'ServerTokens Prod' and restartApache.
The linux distribution detected was : - Ubuntu 12.04 (precise) - Ubuntu 12.10 (quantal) - Ubuntu 13.04 (raring)
39
19506 (1) - Nessus Scan InformationSynopsis
Information about the Nessus scan.
Description
This script displays, for each tested host, information about the scan itself :- The version of the plugin set- The type of plugin feed (HomeFeed or ProfessionalFeed)- The version of the Nessus Engine- The port scanner(s) used- The port range scanned- Whether credentialed or third-party patch management checks are possible- The date of the scan- The duration of the scan- The number of hosts scanned in parallel- The number of checks done in parallel
Information about this scan : Nessus version : 5.2.2Plugin feed version : 201309251115Type of plugin feed : HomeFeed (Non-commercial use only)Scanner IP : 10.42.12.28Port scanner(s) : nessus_syn_scanner Port range : 1-65535Thorough tests : noExperimental tests : noParanoia level : 2Report Verbosity : 1Safe checks : yesOptimize the test : yesCredentialed checks : noPatch management checks : NoneCGI scanning : enabledWeb application tests : enabledWeb app tests - Test mode : singleWeb app tests - Try all HTTP methods : yesWeb app tests - Maximum run time : 10 minutes.Web app tests - Stop at first flaw : paramMax hosts : 20Max checks : 4Recv timeout : 15Backports : NoneAllow post-scan editing: YesScan Start Date : 2013/9/26 4:38Scan duration : 142 sec
40
24260 (1) - HyperText Transfer Protocol (HTTP) InformationSynopsis
Some information about the remote HTTP configuration can be extracted.
Description
This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive andHTTP pipelining are enabled, etc...This test is informational only and does not denote any security problem.
The remote host implements TCP timestamps, as defined by RFC1323. A side effect of this feature is that the uptimeof the remote host can sometimes be computed.
This plugin determines which HTTP methods are allowed on various CGI directories.
Description
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory.As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests'is set to 'yes'in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receivesa response code of 400, 403, 405, or 501.Note that the plugin output is only informational and does not necessarily indicate the presence of any securityvulnerabilities.
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe Based on tests of each method : - HTTP methods ACL BASELINE-CONTROL BCOPY BDELETE BMOVE BPROPFIND BPROPPATCH CHECKIN CHECKOUT COPY DEBUG DELETE GET HEAD INDEX LABEL LOCK MERGE MKACTIVITY MKCOL MKWORKSPACE MOVE NOTIFY OPTIONS ORDERPATCH PATCH POLL POST PROPFIND PROPPATCH PUT REPORT RPC_IN_DATA RPC_OUT_DATA SEARCH SUBSCRIBE UNCHECKOUT UNLOCK UNSUBSCRIBE UPDATE VERSION-CONTROL X-MS-ENUMATTS are allowed on : /cgi-bin - HTTP methods GET HEAD OPTIONS POST are allowed on : / /icons /manager /recipe - Invalid/unknown HTTP methods are allowed on : /cgi-bin
43
45590 (1) - Common Platform Enumeration (CPE)Synopsis
It is possible to enumerate CPE names that matched on the remote system.
Description
By using information obtained from a Nessus scan, this plugin reports CPE (Common Platform Enumeration) matchesfor various hardware and software products found on a host.Note that if an official CPE is not available for the product, this plugin computes the best possible CPE based on theinformation available from the scan.
The remote operating system matched the following CPE : cpe:/o:canonical:ubuntu_linux:12.10 -> Canonical Ubuntu Linux 12.10 Following application CPE's matched on the remote system : cpe:/a:openbsd:openssh:6.0 -> OpenBSD OpenSSH 6.0 cpe:/a:apache:http_server:2.2.22 -> Apache Software Foundation Apache HTTP Server 2.2.22
Based on the remote operating system, it is possible to determine what the remote system type is (eg: a printer,router, general-purpose computer, etc).
Remote device type : general-purposeConfidence level : 95
45
66334 (1) - Patch ReportSynopsis
The remote host is missing several patches
Description
The remote host is missing one or several security patches.This plugin lists the newest version of each patch to install to make sure the remote host is up-to-date.
. You need to take the following 2 actions: [ OpenSSH LoginGraceTime / MaxStartups DoS (67140) ] + Action to take: Upgrade to OpenSSH 6.2 and review the associated server configuration settings. [ Apache 2.2 < 2.2.25 Multiple Vulnerabilities (68915) ] + Action to take: Either ensure that the affected modules are not in use or upgrade to Apache version 2.2.25 or later. + Impact: Taking this action will resolve 6 different vulnerabilities (CVEs).